[Linux-ima-user] IMA and MAC labels integrity check

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all

i'm trying to protect the integrity of labels used by a Mandatory Access 
Control to enforce security policies.

I see that it's possible to create custom ima policies that permit to find with 
more fine granularity objects of the system to be measured.

In SELinux i have such transition:

type_transition initrc_t myapp_exec_t:process myapp_t;

and such type of executable is the only entrypoint for the domain myapp_t.

Instead of adding an hmac signature over the executable, i'm thinking of 
modify IMA in order to measure and verify the binary against a value 
previously collected and to allow/deny the operation requested depending on 
the result.

I can have a rule that filter the execve of myapp by writing such ima policy:

obj_type=myapp_exec_t func=BPRM_CHECK  

with the addition:
HASH=<good value>

In such case, if the calculated hash is different, IMA will deny the operation.
Does this proposal addresses the issue?

Thanks for replies.